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27 January 2021 
Dear Sirs 


RE: Public Consultation: - Legislative options to inform the development 
of an Adult Protection Bill for Northern Ireland 


We refer to the above public consultation which was published on 17 December 
2020. 


We note that the consultation relates to the development of a proposed Adult 
Protection Bill for Northern Ireland. As you are probably aware, Article 36(4) of 
the UK GDPR requires data controllers to consult with the ICO in relation to any 
legislative proposals which relate to the processing of personal data. It is 
therefore likely that any proposed legislation concerning the development of an 
Adult Protection Bill will need to be submitted to our office through this process 
during the development stage. You can read more guidance about this 
requirement and access the Article 36(4) Enquiry Form here. 


Having had an opportunity to review the consultation document, we felt that it 
may be useful to share some initial thoughts with respect to some potential 
personal data implications which the DOH may wish to give consideration to. I 
have detailed these below:- 


Data sharing 


e The consultation document references the need for co-operation and 
information sharing among various interested bodies. It appears that the 
Department is considering placing a new statutory duty on a number of 
organisations to share information with one another and a provision 
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requiring organisations to explain in writing any reasons for failure to 
comply with this duty. When sharing personal data, it is important for 
organisations to give careful consideration to any data protection 
implications that may exist. Organisations should ensure that any data 
shared with external parties is done so in a lawful, fair and accurate 
manner and in keeping with the UK GDPR principles. Organisations may 
wish to consult our new Data Sharing Code of Practice which can be found 
here on our website. 


Data Sharing Agreements 


e Organisations involved in data sharing should also consider the 
implementation of data sharing agreements which should:- 


I. set out the purpose of the data sharing 
II. cover what happens to the data at each stage 
III. set standards and help all the parties involved in sharing to be clear 
about their roles and responsibilities. 


Data sharing agreements should also deal with any practical problems that 
may arise when sharing personal data. This should ensure that all 
organisations involved in the sharing have detailed advice about which 
datasets they can share. This should assist with the prevention of irrelevant 
or excessive information being disclosed. Such agreements will also assist 
with ensuring that organisations have common technical and organisational 
security arrangements in place and address any operational differences 
which may exits with respect to retention or deletion periods. 


Security, data minimisation and retention periods 


e Given the sensitive nature of the personal information being collected, 
specific and detailed consideration should be given to ensuring appropriate 
security measures are implemented so that personal information is not 
compromised. The completion of a DPIA may assist with identifying any 
potential risks associated with proposed personal data processing. As part 
of this, organisation’s should consider areas such as cyber security, human 
error data breaches, inappropriate access to sensitive information, staff 
training, data storage and data transfer mechanisms. Article 25 of the UK 
GDPR mandates that, at the time of the determination of the means of 
processing and at the time of the processing itself, appropriate technical 


1CO. 


Information Commissioner’s Office 


and organisational measures should be in place to implement data 
protection and to integrate the necessary safeguards into the processing. 


Independent Adult Protection Board for Northern Ireland 


e Reference is made within the consultation document to the establishment 
of a new Independent Adult Protection Board for Northern Ireland which 
will have responsibility for serious case reviews (multi-agency reviews that 
look into the circumstances surrounding the death of, or serious harm to, 
an adult at risk and in need of protection). It will be important to ensure 
that members of the proposed independent board are provided with 
practical data protection training that is specific to their role. Such training 
should be refreshed on a regular basis. 


As stated above, we anticipate further engagement on this matter as per Article 
36(4) stipulations. In the meantime we hope you find the above comments 
helpful as you move forward with your proposals. Should you wish to discuss 
any of the above further, please do not hesitate to contact our office at 


ni@ico.org.uk . 


Kind regards 
Conan O’Brien 


Conan O’Brien 


@ 
1C 0O. Senior Policy Officer — Northern Ireland 
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